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'DTAILED ACTION 



1. This communication is in response to applicant's response received on 
07/30/2007. 

2. Claims 1-28 are pending. 

3. Claims 1-6, 11-15 and 18 are amended. 

4. Claims 19-28 are new. 

Response to Arguments 

Applicant's arguments have been fully considered but they are not persuasive. 

1 . Applicant's amendments to the specification, drawing and claims are not 
sufficient to overcome all the objections and rejections under 35 USC § 1 12. See below 
for further objections to the specification and drawing number 2 and rejections of claims 
under 35 USC § 112. 

2. Applicant on page 13, lines 10-14 of the remarks argue that "as stated in 
amended claim 1, the present invention, on the other hand, will allow a verified user 

to continue to have access, and only applies a rate limit to an apparatus when a user is 
not verified". 

Examiner respectfully disagrees and asserts that the amended claim 1 recites 
"applying a rate limit for verifying access to said service... until said identification data is 
received from a user... and verified by said access control system", which is different 
from the "will allow a verified user to continue to have access, and only applies a rate 
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limit to an apparatus when a user is not verified". Furthermore, the disclosed system of 
Guthrie detects too many successive authorization failures (see col. 8, lines 11-12), 
which corresponds to the recited applying rate limit. 

3. Applicant on page 13, lines 15-17. of the remarks argue that "on the other hand, 
in the present invention it is a particular machine, based on address data or unique 
identification number, that may be blocked, not a user". This limitation is not recited by 
any of the claims 1, 14 and 18. 

4. Applicant on page 13, lines 18-19 of the remarks argue that "Guthrie et al. does 
not appear to apply to anonymous users or users seeking to use the same credentials; 
whereas the present invention is able to deal with both." None of the claims 1, 14 and 
18 appear to recite this statement. 

5. Examiner, however, in light of the above submission maintains the previous 
rejections while considering the new claims and the amendments to the claims as 
follows: 

Specification 

The following amendments to the specification should be made in addition to the 
amendments filed by the applicant on 07/30/2007: 

1 . A new section titled "Field of the Invention" or "Technical Field" should be added 
on page 1 after the title of the specification "AN ACCESS CONTROL METHOD". This 
section should contain a statement of the field of art to which the invention pertains. 
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This statement may include a paraphrasing of the applicable U.S. patent classification 
definitions of the subject matter of the claimed invention. 

2. Instead of applicant's suggestion to insert " BACKGROUND" above the 
paragraph beginning on page 1, line 15, the title "Background of the Invention" should 
be inserted after the new section suggested above, titled "Field of the Invention" and 
above the original second paragraph beginning on page 1, line 6. 

3. The title "DESCRIPTION OF DRAWINGS" suggested by the applicant should be 
replaced by the "Brief Description of the Drawings". 

4. A substitute specification excluding the claims is required pursuant to 37 CFR 

1 .125(a) because the current specification does not refer to the Fig. 2. The specification 
should describe the Fig. 2 in detail with proper reference number to the corresponding 
sections or blocks of the drawing. 

A substitute specification must not contain new matter. The substitute 
specification must be submitted with markings showing all the changes relative to the 
immediate prior version of the specification of record. The text of any added subject 
matter must be shown by underlining the added text. The text of any deleted matter 
must be shown by strike-through except that double brackets placed before and after 
the deleted characters may be used to show deletion of five or fewer consecutive 
characters. The text of any deleted subject matter must be shown by being placed 
within double brackets if strike-through cannot be easily perceived. An accompanying 
clean version (without markings) and a statement that the substitute specification 
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contains no new matter must also be supplied. Numbering the paragraphs of the 
specification of record is not considered a change that must be shown. 

Drawings 

The drawing number 2 provided by the applicant in response to the previous 
office action is objected to because the blocks of this drawing do not have reference 
numbers. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required 
in reply to the Office action to avoid abandonment of the application. Any amended 
replacement drawing sheet should include all of the figures appearing on the immediate 
prior version of the sheet, even if only one figure is being amended. The figure or figure 
number of an amended drawing should not be labeled as "amended." If a drawing figure 
is to be canceled, the appropriate figure must be removed from the replacement sheet, 
and where necessary, the remaining figures must be renumbered and appropriate 
changes made to the brief description of the several views of the drawings for 
consistency. Additional replacement sheets may be necessary to show the renumbering 
of the remaining figures. Each drawing sheet submitted after the filing date of an 
application must be labeled in the top margin as either "Replacement Sheet" or "New 
Sheet" pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, 
the applicant will be notified and informed of any required corrective action in the next 
Office action. The objection to the drawings will not be held in abeyance. 
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Claim Rejections - 35 USC §112 
Claims 1, 5, 14 and 18 are rejected under 35 U S C. 112, second paragraph, 

as being indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. 

Claim 1, in line 7, recites "applying a rate limit for verifying access..." claim 14, 
in line 3, recites "applying an access rate limit ..." and claim 18, in line 3, recites "rate 
limit access to the server..." which make these claims indefinite, because the nature of \ 
the rate limit is not specified in these claims (i.e., what kind of criteria is used as a rate 
limit). 

Claim 5 is indefinite, because in line 1, recites "said identification data is verified 
by said user." This limitation is contrary to the verification procedure described in the 
specification (see page 4, line 20 through page 5, line 5 and page 5, lines 19-31). 
According to the verification procedure described in the specification, the access control 
system sends an identification data to the user after receiving an access request from 
the user. The user responds to the access control system by sending an identification 
data. If the sent and received identification data by the access control system 
correspond to each other then the user is verified and is allowed to access resources on 
the application server. Thus, the identification data is verified by the access control 
system not by the user. 

Appropriate corrections are required. 
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Claim 14 is indefinite because the need for performing other levels of security 
beside the execution of the first security level is not stated (i.e. reason is not given in the 
claim). This claim is also indefinite because the security step "applying an access rate 
limit..." and the first security level "invoking a first control level..." do not clearly specify the 
nature of the security schemes and could be any one of the other security levels in the 
claim. Thus, these two security steps fail to further limit the claim and are redundant. 

The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

Claim 14 is rejected under 35 U.S.C. 112, first paragraph, as based on a 
disclosure which is not enabling. The use of an identification data transmitted between a 
server and user in order to verify the user by the server is essential to the practice of the 
invention, but not included in the claims. See In re Mayhew, 527 F.2d 1229, 188 
USPQ 356 (CCPA 1976). Sending an identification data to the server by the user after 
receiving from the server a unique identification data and verification of the received 
data by the server whether it corresponds to the unique identification data sent to the 
user apparatus is essential to the invention because that is the only information is used 
to verify a user and allowing the user to access a service in the claimed invention 
described in the specification (see specification page 5, lines 19-31). 
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Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-8, 16, 17, 19-23, 25 and 26 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Guthrie et al (6,161,185; hereinafter Guthrie). 

As per claims 1,16 and 17, Guthrie discloses an access control method 
performed by an access control system (see Fig. 5), including: 

receiving an access request for a service from a data processing apparatus 
(see Fig. 4, step 2); 

• sending unique identification data to said apparatus in response to said access 
request (col. 4, lines 18-19; col. 7, lines 20-26, where the server transmit a challenge 
having a certain length to the client that corresponds to the recited sending unique 
identification data to said apparatus); and 

applying a rate limit (col. 8, lines 11-12: detects too many successive 
authorization failures) for verifying access to said service, using an access request 
queue (col. 8, linesl 1-1 2: detects too many successive authorization failures in a row 
, where row is an indication that the request is in a queue), until said identification 
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data is received from a user of said apparatus and verified by said access control 
system (see col. 2, lines 19-32; col. 4, lines 29-35; col. 8, lines 7-40). 

As per claim 2, Guthrie discloses an access control method as claimed in claim 
1, wherein verifying said identification data corresponds to a first level of access 
control, and said method includes applying at least one additional different level of 
access control following a predetermined number of failed attempts to verify said 
identification data by said user of said apparatus (see col. 4, lines 1-13). 

As per claim 3, Guthrie discloses an access control method is claimed in 
claim 2, wherein said identification data is a random unique security code (see col. 
4, lines 16-18, where the seed value corresponds to the recited random unique 
security code; col. 6, lines 57-60) and said apparatus is sent an unique 
identification number for the apparatus, for sending with subsequent access 
requests and which expires if the security code is not verified within a 
predetermined period of time (see, e.g., col. 4, lines 14-28 and 35-41). 

As per claim 4, Guthrie discloses an access control method as claimed in claim 1 , 
wherein said identification data is verified by contacting an independent communications 
device with a known association to said user and said data processing apparatus, and 
having said user provide said identification data using said device (Figs. 4 & 5, col. 7, 
lines 10-26). 
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As per claim 5, Guthrie discloses an access control method as claimed in 
claim 1, wherein said identification data is verified by said user returning said 
identification data using an independent communication means.having a known 
association to said user and said data processing apparatus (Figs. 4 & 5, col. 7, 
lines 10-26, where the user the user 114 is associated with the client apparatus 
102). 

As per claim 6, Guthrie discloses an access control method as claimed in claim 
3, wherein said at least one additional level includes detecting generation of access 
requests for said service under control of a program instead of under control of said 
user (see, e.g., col. 1, lines 30-38; col. 4, lines 30-35, where using a random code 
generator by a user corresponds to the recited access requests for said service 
under control of a program). 

As per claim 7, Guthrie discloses an access control method as claimed in claim 
2, wherein said at least one additional level of access control includes sending 
communication software to said apparatus to receive access requests for said service 
under an additional communication protocol (see, e.g., col. 5, lines 10-15; col. 5, lines 
49-54). 

As per claim 8, Guthrie discloses an access control method as claimed in 
claim 7, wherein said communication software encrypts said access requests 
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(col. 3, lines 10-12). 



Page 11 



As per claim 19, Guthrie discloses an access control method as claimed in 
claim 4 or 1 5, wherein said independent device is a telephone of the user (col. 4, 
lines 65-67). 

As per claim 20, Guthrie discloses an access control method as claimed in claim 

5, wherein said independent communications means is a telephone of the user (col. 4, 
lines 65-67). 

As per claim 21, Guthrie discloses an access control method as claimed in claim 

I , wherein said unique identification data is sent in a graphic format and received from 
said user in a different format (col. 6, lines 21-27). 

As per claim 22, Guthrie discloses an access control method as claimed in claim 

6, wherein said detecting includes sending the unique identification data in a graphic 
format, and requesting a response in a different format (col. 6, lines 21-27). 

As per claim 23, Guthrie discloses an access control method as claimed in claim 

I I , wherein said blocking is at a router level close to said apparatus (col. 1 5, lines 5-9). 
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As per claim 25, Guthrie discloses the access control method of claim 1 , wherein 
the step of applying the rate limit for verifying access to said service comprises placing 
the access request in the access request queue when the rate limit is exceeded (col. 8, 
linesl 1-12: detects too many successive authorization failures in a row , where row is 
an indication that the request is in a queue. Furthermore, the requests are always in a 
queue during authentication process until either permitted to access the resources or 
being denied access). 

As per claim 26, Guthrie discloses the access control method of claim 1, wherein 
the rate limit limits a number of access requests from said data processing apparatus 
over a period of time, until said user of said apparatus sends said unique identification 
data, and said unique identification data is verified (col. 8, linesl 1-12: detects too many 
successive authorization failures). 

Allowable Subject Matter 
Claims 9-13, 15, 24, 27 and 28 are objected to as being dependent upon a 
rejected base claim, but would be allowable if rewritten in independent form including all 
of the limitations of the base claim and any intervening claims. 

Claims 14 and 18 would be allowable if rewritten or amended to overcome the 
rejections under 35 U.S.C. 112, 1 st and 2 nd paragraphs, set forth in this Office action. 



Application/Control Number: 10/088,034 Page 13 

Art Unit: 2132 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

US Patent No. 7,206,805 B1 to McLaughlin, Jr. 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Abdulhakim Nobahar whose telephone number is 571- 
272-3808. The examiner can normally be reached on M-T 8-6. " 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Abdulhakim Nobahar 
Examiner 
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GILBERT0 BARRON 37^ 
SUPERVISORY PATENT EXAMINER 
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